Merge pull request #1521 from simonbaird/fix-unique-rpms-check

Improve the mismatched rpm versions across multi-arch images check

Author: simonbaird

antora/docs/modules/ROOT/pages/packages/release_rpm_packages.adoc

@@ -11,10 +11,9 @@ Rules used to verify different properties of specific RPM packages found in the
 [#rpm_packages__unique_version]
 === link:#rpm_packages__unique_version[Unique Version]
 
-Check if there is more than one version of the same RPM installed across different architectures. This check only applies for Image Indexes, aka multi-platform images. Use the `non_unique_rpm_names` rule data key to ignore certain RPMs.
+Check if a multi-arch build has the same RPM versions installed across each different architecture. This check only applies for Image Indexes, aka multi-platform images. Use the `non_unique_rpm_names` rule data key to ignore certain RPMs.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `Multiple versions of the %q RPM were found: %s`
+* FAILURE message: `Mismatched versions of the %q RPM were found across different arches. %s`
 * Code: `rpm_packages.unique_version`
-* Effective from: `2025-10-01T00:00:00Z`
 * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/rpm_packages/rpm_packages.rego#L17[Source, window="_blank"]

policy/lib/string_utils.rego

@@ -10,3 +10,12 @@ quoted_values_string(value_list) := result if {
 
 	result := concat(", ", quoted_list)
 }
+
+pluralize_maybe(set_or_list, singular_word, plural_word) := singular_word if {
+	# One item, use the singular word
+	count(set_or_list) == 1
+} else := sprintf("%ss", [singular_word]) if {
+	# No plural word provided, make one by adding an "s"
+	plural_word in {null, ""}
+	# Use provided plural word
+} else := plural_word

policy/lib/string_utils_test.rego

@@ -8,3 +8,23 @@ test_quoted_values_string if {
 	lib.assert_equal("'a', 'b', 'c'", lib.quoted_values_string(["a", "b", "c"]))
 	lib.assert_equal("'a', 'b', 'c'", lib.quoted_values_string({"a", "b", "c"}))
 }
+
+test_pluralize_maybe if {
+	test_cases := [
+		{
+			"singular": "mouse",
+			"plural": "mice",
+			"expected": ["mouse", "mice", "mice"],
+		},
+		{
+			"singular": "bug",
+			"plural": "",
+			"expected": ["bug", "bugs", "bugs"],
+		},
+	]
+
+	every t in test_cases {
+		result := [lib.pluralize_maybe(s, t.singular, t.plural) | some s in [{"a"}, {"a", "b"}, {}]]
+		lib.assert_equal(t.expected, result)
+	}
+}

policy/release/rpm_packages/rpm_packages.rego

@@ -17,64 +17,107 @@ import data.lib.tekton
 # METADATA
 # title: Unique Version
 # description: >-
-#   Check if there is more than one version of the same RPM installed across different
-#   architectures. This check only applies for Image Indexes, aka multi-platform images.
+#   Check if a multi-arch build has the same RPM versions installed across each different
+#   architecture. This check only applies for Image Indexes, aka multi-platform images.
 #   Use the `non_unique_rpm_names` rule data key to ignore certain RPMs.
 # custom:
 #   short_name: unique_version
-#   failure_msg: 'Multiple versions of the %q RPM were found: %s'
+#   failure_msg: 'Mismatched versions of the %q RPM were found across different arches. %s'
 #   collections:
 #   - redhat
-#   # Pushed back again due to https://issues.redhat.com/browse/EC-1354
-#   effective_on: 2025-10-01T00:00:00Z
 #
 deny contains result if {
 	image.is_image_index(input.image.ref)
 
-	# Arguably this is a weird edge case that should be dealt with by changing
-	# the build to not be multi-arch. But this avoids producing a confusing and
-	# not useful violation in some cases.
-	not _is_single_image_index(input.image.ref)
+	some rpm_name in rpm_names_with_mismatched_nvr_sets
+	not rpm_name in lib.rule_data("non_unique_rpm_names")
+
+	detail_text := concat(" ", sort(rpm_mismatch_details(rpm_name)))
 
-	some name, versions in grouped_rpm_purls
-	count(versions) > 1
-	not name in lib.rule_data("non_unique_rpm_names")
 	result := lib.result_helper_with_term(
 		rego.metadata.chain(),
-		[name, concat(", ", versions)],
-		name,
+		[rpm_name, detail_text],
+		rpm_name,
 	)
 }
 
-# grouped_rpm_purls groups the found RPMs by name to facilitate detecting different versions. It
-# has the following structure:
-# {
-#     "spam-maps": {"1.2.3-0", "1.2.3-9"},
-#     "bacon": {"7.8.8-8"},
-# }
-grouped_rpm_purls[name] contains version if {
-	some rpm_purl in all_rpm_purls
-	rpm := ec.purl.parse(rpm_purl)
-	name := rpm.name
+# Do some extra work here to make a nice tidy violation message
+rpm_mismatch_details(rpm_name) := [detail |
+	# Get all unique NVR sets for this RPM
+	some nvr_set in {nvrs |
+		some platform, nvrs in all_rpms_by_name_and_platform[rpm_name]
+	}
+
+	# Find all platforms that have this NVR set
+	platforms_with_nvr_set := [platform |
+		some platform, nvrs in all_rpms_by_name_and_platform[rpm_name]
+		nvrs == nvr_set
+	]
 
-	# NOTE: This includes both version and release.
-	version := rpm.version
+	detail := sprintf("%s %s %s %s.", [
+		lib.pluralize_maybe(platforms_with_nvr_set, "Platform", ""),
+		concat(", ", sort(platforms_with_nvr_set)),
+		lib.pluralize_maybe(platforms_with_nvr_set, "has", "have"),
+		concat(", ", sort(nvr_set)),
+	])
+]
+
+# Detect RPMs where the set of nvrs differs across platforms.
+# Generally the sets of versions are of size one, but in some cases we have more
+# than one version of a particular rpm due to multi-stage builds.
+rpm_names_with_mismatched_nvr_sets contains rpm_name if {
+	some rpm_name, platform_sets in all_rpms_by_name_and_platform
+	nvr_sets := {nvrs | some _platform, nvrs in platform_sets}
+
+	# If there are more than one unique set of nvrs, then we have some
+	# kind of mismatch between the platforms
+	count(nvr_sets) > 1
 }
 
-all_rpm_purls contains rpm.purl if {
+# A list of rpms grouped by rpm name and by platform
+# Something like this:
+# {
+#   "acl": {
+#     "linux/arm64": ["acl-2.3.1-4.el9"],
+#     "linux/ppc64le": ["acl-2.3.1-4.el9"],
+#     ...
+#   },
+#   ...
+# }
+all_rpms_by_name_and_platform[rpm_name][platform] contains nvr if {
 	some attestation in lib.pipelinerun_attestations
+
+	# We're expecting multiple matrixed build tasks, one
+	# for each platform
 	some build_task in tekton.build_tasks(attestation)
+
+	# Determine which os/arch was built by this build task.
+	# Note: We expect this to be present for the Konflux multi-arch builds. If it
+	# isn't then this check doesn't work and mismatched rpm versions will not be
+	# detected. If there was somehow a different way to build a multi-arch image,
+	# we would need to find another way to figure out which platform each SBOM is
+	# related to.
+	platform := tekton.task_param(build_task, "PLATFORM")
+
+	# Find the SBOM location
 	some result in tekton.task_results(build_task)
 	result.name == "SBOM_BLOB_URL"
-	url := result.value
-	blob := ec.oci.blob(url)
-	s := json.unmarshal(blob)
-	some rpm in sbom.rpms_from_sbom(s)
-}
+	sbom_blob_ref := result.value
 
-# For detecting image indexes with just a single image in them.
-# (I don't think there are any valid reasons for these to exist)
-_is_single_image_index(ref) if {
-	index := ec.oci.image_index(ref)
-	count(index.manifests) == 1
-} else := false
+	# Fetch the SBOM data
+	sbom_blob := ec.oci.blob(sbom_blob_ref)
+	s := json.unmarshal(sbom_blob)
+
+	# Extract the list of rpm purls from the SBOM and parse out
+	# the rpm version details
+	some rpm_info in sbom.rpms_from_sbom(s)
+	rpm := ec.purl.parse(rpm_info.purl)
+	rpm_name := rpm.name
+	rpm_version := rpm.version
+
+	# We really only need the version, but it's convenient for
+	# creating violation messages if we use the full nvr here.
+	# Note that rpm.version is actually the version and the release in
+	# RPM terms, hence this is the name-version-release, aka the nvr
+	nvr := sprintf("%s-%s", [rpm_name, rpm_version])
+}